2021-11-01 14:03:20 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
|
|
|
|
#include <base/types.h>
|
2022-02-18 18:01:30 +00:00
|
|
|
#include <boost/container/flat_set.hpp>
|
2021-11-01 14:03:20 +00:00
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
|
|
namespace DB
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
enum class AuthenticationType
|
|
|
|
|
{
|
|
|
|
|
/// User doesn't have to enter password.
|
|
|
|
|
NO_PASSWORD,
|
|
|
|
|
|
|
|
|
|
/// Password is stored as is.
|
|
|
|
|
PLAINTEXT_PASSWORD,
|
|
|
|
|
|
|
|
|
|
/// Password is encrypted in SHA256 hash.
|
|
|
|
|
SHA256_PASSWORD,
|
|
|
|
|
|
|
|
|
|
/// SHA1(SHA1(password)).
|
|
|
|
|
/// This kind of hash is used by the `mysql_native_password` authentication plugin.
|
|
|
|
|
DOUBLE_SHA1_PASSWORD,
|
|
|
|
|
|
2023-01-04 14:22:39 +00:00
|
|
|
/// Password is encrypted in bcrypt hash.
|
|
|
|
|
BCRYPT_PASSWORD,
|
|
|
|
|
|
2021-11-01 14:03:20 +00:00
|
|
|
/// Password is checked by a [remote] LDAP server. Connection will be made at each authentication attempt.
|
|
|
|
|
LDAP,
|
|
|
|
|
|
|
|
|
|
/// Kerberos authentication performed through GSS-API negotiation loop.
|
|
|
|
|
KERBEROS,
|
|
|
|
|
|
2022-01-11 14:07:30 +00:00
|
|
|
/// Authentication is done in SSL by checking user certificate.
|
|
|
|
|
/// Certificates may only be trusted if 'strict' SSL mode is enabled.
|
|
|
|
|
SSL_CERTIFICATE,
|
|
|
|
|
|
2021-11-02 09:02:22 +00:00
|
|
|
MAX,
|
2021-11-01 14:03:20 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct AuthenticationTypeInfo
|
|
|
|
|
{
|
|
|
|
|
const char * const raw_name;
|
|
|
|
|
const String name; /// Lowercased with underscores, e.g. "sha256_password".
|
|
|
|
|
static const AuthenticationTypeInfo & get(AuthenticationType type_);
|
|
|
|
|
};
|
|
|
|
|
|
2021-11-02 09:02:22 +00:00
|
|
|
inline String toString(AuthenticationType type_)
|
|
|
|
|
{
|
|
|
|
|
return AuthenticationTypeInfo::get(type_).raw_name;
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-01 14:03:20 +00:00
|
|
|
|
|
|
|
|
/// Stores data for checking password when a user logins.
|
|
|
|
|
class AuthenticationData
|
|
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
using Digest = std::vector<uint8_t>;
|
|
|
|
|
|
2022-03-11 15:52:15 +00:00
|
|
|
explicit AuthenticationData(AuthenticationType type_ = AuthenticationType::NO_PASSWORD) : type(type_) {}
|
2021-11-01 14:03:20 +00:00
|
|
|
AuthenticationData(const AuthenticationData & src) = default;
|
|
|
|
|
AuthenticationData & operator =(const AuthenticationData & src) = default;
|
|
|
|
|
AuthenticationData(AuthenticationData && src) = default;
|
|
|
|
|
AuthenticationData & operator =(AuthenticationData && src) = default;
|
|
|
|
|
|
|
|
|
|
AuthenticationType getType() const { return type; }
|
|
|
|
|
|
|
|
|
|
/// Sets the password and encrypt it using the authentication type set in the constructor.
|
|
|
|
|
void setPassword(const String & password_);
|
|
|
|
|
|
|
|
|
|
/// Returns the password. Allowed to use only for Type::PLAINTEXT_PASSWORD.
|
|
|
|
|
String getPassword() const;
|
|
|
|
|
|
|
|
|
|
/// Sets the password as a string of hexadecimal digits.
|
|
|
|
|
void setPasswordHashHex(const String & hash);
|
|
|
|
|
String getPasswordHashHex() const;
|
|
|
|
|
|
|
|
|
|
/// Sets the password in binary form.
|
|
|
|
|
void setPasswordHashBinary(const Digest & hash);
|
|
|
|
|
const Digest & getPasswordHashBinary() const { return password_hash; }
|
|
|
|
|
|
2022-04-12 14:30:09 +00:00
|
|
|
/// Sets the salt in String form.
|
|
|
|
|
void setSalt(String salt);
|
|
|
|
|
String getSalt() const;
|
|
|
|
|
|
2021-11-01 14:03:20 +00:00
|
|
|
/// Sets the server name for authentication type LDAP.
|
|
|
|
|
const String & getLDAPServerName() const { return ldap_server_name; }
|
|
|
|
|
void setLDAPServerName(const String & name) { ldap_server_name = name; }
|
|
|
|
|
|
|
|
|
|
/// Sets the realm name for authentication type KERBEROS.
|
|
|
|
|
const String & getKerberosRealm() const { return kerberos_realm; }
|
|
|
|
|
void setKerberosRealm(const String & realm) { kerberos_realm = realm; }
|
|
|
|
|
|
2022-02-18 18:01:30 +00:00
|
|
|
const boost::container::flat_set<String> & getSSLCertificateCommonNames() const { return ssl_certificate_common_names; }
|
2022-02-18 20:26:49 +00:00
|
|
|
void setSSLCertificateCommonNames(boost::container::flat_set<String> common_names_);
|
2022-01-11 14:07:30 +00:00
|
|
|
|
2021-11-01 14:03:20 +00:00
|
|
|
friend bool operator ==(const AuthenticationData & lhs, const AuthenticationData & rhs);
|
|
|
|
|
friend bool operator !=(const AuthenticationData & lhs, const AuthenticationData & rhs) { return !(lhs == rhs); }
|
|
|
|
|
|
|
|
|
|
struct Util
|
|
|
|
|
{
|
2022-07-14 16:11:35 +00:00
|
|
|
static Digest stringToDigest(std::string_view text) { return Digest(text.data(), text.data() + text.size()); }
|
|
|
|
|
static Digest encodeSHA256(std::string_view text);
|
|
|
|
|
static Digest encodeSHA1(std::string_view text);
|
2021-11-01 14:03:20 +00:00
|
|
|
static Digest encodeSHA1(const Digest & text) { return encodeSHA1(std::string_view{reinterpret_cast<const char *>(text.data()), text.size()}); }
|
2022-07-14 16:11:35 +00:00
|
|
|
static Digest encodeDoubleSHA1(std::string_view text) { return encodeSHA1(encodeSHA1(text)); }
|
2021-11-01 14:03:20 +00:00
|
|
|
static Digest encodeDoubleSHA1(const Digest & text) { return encodeSHA1(encodeSHA1(text)); }
|
2023-01-04 14:22:39 +00:00
|
|
|
static Digest encodeBcrypt(std::string_view text);
|
|
|
|
|
static bool checkPasswordBcrypt(std::string_view password, const Digest & password_bcrypt);
|
2021-11-01 14:03:20 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
AuthenticationType type = AuthenticationType::NO_PASSWORD;
|
|
|
|
|
Digest password_hash;
|
|
|
|
|
String ldap_server_name;
|
|
|
|
|
String kerberos_realm;
|
2022-02-18 18:01:30 +00:00
|
|
|
boost::container::flat_set<String> ssl_certificate_common_names;
|
2022-04-12 14:30:09 +00:00
|
|
|
String salt;
|
2021-11-01 14:03:20 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
}
|
